Malicious PDF — malware analysis report

Static analysis result for SHA-256 edd3071397a18722…

MALICIOUS

PDF

53.0 KB Created: 2020-09-08 08:56:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1b05a00010f58d118423b7bf4d5abb0f SHA-1: 6c0a22517e60b77b48343459636980db55acc778 SHA-256: edd3071397a1872258d26caf11d7a3c0755cb3e980f9e249e2f935d7c07ca7d9
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

This PDF file contains a large number of embedded links, many of which point to external PDFs, suggesting a link farm for SEO manipulation. One prominent link, 'https://ttraff.club/wix?keyword=adjectives+worksheets+for+class+6+with+answers', is identified as a malicious redirector. The document body, though partially corrupted, also contains this URL, indicating an attempt to lure users to malicious infrastructure under the guise of educational content. The ML classifier also flagged this PDF with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=adjectives+worksheets+for+class+6+with+answers
    • https://cdn.shopify.com/s/files/1/0437/2194/9335/files/hager_bb1279_hinge_template.pdf
    • https://cdn.shopify.com/s/files/1/0462/3735/2085/files/tens-2500_instruction_manual.pdf
    • https://cdn.shopify.com/s/files/1/0459/8978/9853/files/remuxogiwikipegadiwoj.pdf
    • https://static.usrfiles.com/ugd/6116da_3c03158e9a374f63902e5b83a365a82c.pdf
    • https://static.usrfiles.com/ugd/fb41f9_b7b907bc8311445a972eb1a9ab81a7d5.pdf
    • https://static.usrfiles.com/ugd/7603ae_b69c0dcb927f47f09917a4db02b9fc92.pdf
    • https://static.usrfiles.com/ugd/ed64d2_c14c2de024f94fa6b52aa7e8253ce3b3.pdf
    • https://static.usrfiles.com/ugd/733c1f_ed8a47cd89f1470798a4d3a72c1408c2.pdf
    • https://static.usrfiles.com/ugd/e8506d_4d15d8a4468245d49c0a0b7bf791bcfc.pdf
    • https://cdn.shopify.com/s/files/1/0439/9605/3662/files/adhurs_video_songs_telugu.pdf
    • https://cdn.shopify.com/s/files/1/0429/3158/5180/files/aquelarre_mega.pdf
    • https://cdn.shopify.com/s/files/1/0461/3917/9161/files/64252654770.pdf
    • https://cdn.shopify.com/s/files/1/0429/7113/6154/files/bunolasarupibonoke.pdf
    • https://cdn.shopify.com/s/files/1/0438/8497/0139/files/wagiwimamibimema.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000074de.bin
85dabdd5c2b0f75848f21b69bccb2e9bc3e0c716a9e8ed5b21a2c5a7bbdd8791		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74DE 5544 bytes
font_01_sfnt_off000087d5.bin
207b859dfeee463e385b4f858dee168df5da3bdbc1c1013cf10296c6a62fc8da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87D5 12952 bytes
font_02_sfnt_off0000b117.bin
2a5f1667c2e343500efde63e3dd6a136498333968b1680966ac5eb34589f1174		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB117 16144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.